Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

Earlier today (~5 PM), I noticed my computer running very slowly. I opened top, saw "basename" running using 99% CPU. I looked at the tree view in ksysguard and saw that crond was running it. I took a look at my crontab, nothing out of the ordinary. Took a look at the contents of /etc/cron.*/* (this is on Slackware, daily, hourly, and weekly auto scripts are put in there and run with run-parts, which is how this was being run), and saw this:

Nothing out of the ordinary at ALL, but basename was running (not in there) at a weird time (5 PM shouldn't have anything running via cron)... at this point I didn't think much of it, and killed the process and went on with what I was doing.

Later, (~8:30 PM) while I was working on my log analyser (in pygtk, tails logs, hilights IPs, click IPs to get info on them such as reverse DNS), I noticed a lot of packets being dropped by my egress firewall rules going OUT of my computer to IPs that were standard DSL, cable, etc by looking at the reverse DNSs. I started getting suspicious then. I ran rkhunter, and got this:

I immediately locked down my computer at that point (unplugged my ethernet cord, turned on "unplugged" firewall mode so that even if the cord magically plugged itself back in nothing was going to go in or out). I then looked at the processes running, (I know, I have a proper rootkit installed and this doesn't matter), took a look at netstat, etc. I found out that "wget" had a socket open. Looked at "ps aux | grep wget" and saw that wget was running with identical switches to my Slackware updating bash script I wrote, and downloading a file that wget downloads on my updating script. I took a look at the rules again, and noticed that they were on ports tor uses (9030), but I have blocked (I have 9001-9009 or so allowed), and so those logs I've ruled out as false positives, too.

chkrootkit and my own hash databasing script brought up nothing as well.

Right now, I'm only on medium-low alert, and just want explainations for three things, and then I'll be certain that this was a false positive.

1) Why was basename running at a weird time under the crond, run-parts processes? Does updatedb call it? I'm almost certain rmmod and logrotate don't.

2) Why was basename using 99% CPU?

3) Why is rkhunter crippled, and how do I fix it? I haven't run rkhunter in awhile (1-2 weeks, my status cron script is broken right now so it doesn't automatically email me all the status stuff like it used to), so this might be a problem with some updates on Slackware recently.

I tried re-downloading rkhunter, and it's still not working. md5sum is working fine, and rkhunter normally runs fine...

Any ideas for these?

EDIT: I was also thinking of letting my egress filtering go to normal filtering (allow all outgoing) for ~1 week or so and see if my IP shows up on dshield or not.